11/15/2006 18:45 FAX 732 530 9808 PATTERSON & SHERIDAN PTO QOOS/Oll 

RECEIVED 

09/71 1 ,323 CENTRAL FAX CENTER 

AMENDMENTS TO THE CLAIMS: NOV 1 5 2006 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 



LISTING OF CLAIMS 

1 . (Currently Amended) A method for correlating a first sensor to a second sensor 
in an intrusion detection system, the first and second sensors each maintaining belief 
over a number of possible states of the system, the method comprising the steps of: 

(a) transmitting to the first sensor infomiation about the second sensor's belief 
state, said belief state indicating a state of at least one system resource or service 
directiv monitored by the second sensor : and 

(b) adjusting a prior belief state of the first sensor, said belief state indicating 
a state of at least one system resource or service directiv monitored bv the first sensor , 
the adjustment based at least in part on the second sensor's belief state. 

2. (Original) The method of claim 1 wherein the first and second sensors are 
different types of sensors. 

3. (Original) The method of claim 2 wherein the first sensor is a probabilistic 
sensor. 

4. (Currently Amended) A method for reducing false alarms generated by an 
intrusion detection system when a monitored resource is degraded or compromised, the 
intrusion detection system having a first and second sensors each maintaining belief 
over a number of possible states of the system, the method comprising the steps of: 

(a) transmitting to the first sensor all or part of the belief of the second sensor 
regarding an apparent normal, degraded or compromised state of a resource directly 
monitored rooourc e by the second sensor : and 

(b) adjusting a prior belief state of the first sensor reganjing an apparent 
normal, degraded or compromised state of a resource directly monitored bv the first 
sensor so that an enroneous transaction with the degraded or compromised resource 
does not generate an alarm. 
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5. (Currently Amended) A method for enhancing the sensitivity of an intmsion 
detection system that monitors a plurality of computer system resources, the intrusion 
detection system having a first and second sensors each maintaining belief over a 
number of possible states of the system, the method comprising the steps of: 

(a) transmitting to the first sensor all or part of the belief of the second sensor 
regarding the existence or validity of services supported on m onitor e d computer system 
resources directiv monitored bv the second sensor : and 

(b) adjusting a prior belief state of the first sensor regarding t he existence or 
validitv of services supported on computer svstem resources dire ctiv monitored bv the 
first sensor so that an attempted communication with a nonexistent system service or 
resource appears suspicious. 

6. - 9. (Cancelled) 

10. (New) A computer readable medium containing an executable program for 
correlating a first sensor to a second sensor in an intrusion detection system, the first 
and second sensors each maintaining belief over a number of possible states of the 
system, where the program performs the steps of: 

(a) transmitting to the first sensor infomiation about the second sensor's belief 
state, said belief state indicating a state of at least one system resource or service 
directly monitored by the second sensor; and 

(b) adjusting a prior belief state of the first sensor, said belief state indicating 
a state of at least one system resource or service directly monitored by the first sensor, 
the adjustment based at least in part on the second sensor's belief state. 

1 1 . (New) Apparatus for correlating a first sensor to a second sensor in an Intrusion 
detection system, the first and second sensors each maintaining belief over a number of 
possible states of the system, the apparatus comprising: 

(a) means for transmitting to the first sensor information about the second 
sensor's belief state, said belief state indicating a state of at least one system resource 
or service directly monitored by the second sensor; and 
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(b) means for adjusting a prior belief state of the first sensor, said belief state 
indicating a state of at least one system resource or service directly monitored by the 
first sensor, the adjustment based at least in part on the second sensor's belief state, 

12. (New) A computer readable medium containing an executable program for 
reducing false alarms generated by an intrusion detection system when a monitored 
resource is degraded or compromised, the intrusion detection system having a first and 
second sensors each maintaining belief over a number of possible states of the system, 
where the program performs the steps of: 

(a) transmitting to the first sensor all or part of the belief of the second sensor 
regarding an apparent normal, degraded or compromised state of a resource directly 
monitored resource by the second sensor; and 

(b) adjusting a prior belief state of the first sensor regarding an apparent 
normal, degraded or compromised state of a resource directly monitored by the first 
sensor so that an erroneous transaction with the degraded or compromised resource 
does not generate an alamri. 

13. (New) A computer readable medium containing an executable program for 
enhancing the sensitivity of an intnjsion detection system that monitors a plurality of 
computer system resources, the intrusion detection system having a first and second 
sensors each maintaining belief over a number of possible states of the system, where 
the program performs the steps of: 

(a) transmitting to the first sensor all or part of the belief of the second sensor 
regarding the existence or validity of services supported on mon i tored computer system 
resources directly monitored by the second sensor; and 

(b) adjusting a prior belief state of the first sensor regarding the existence or 
validity of services supported on computer system resources directly monitored by the 
first sensor so that an attempted communication with a nonexistent system service or 
resource appears suspicious. 
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